Main navigation

Repairing permissions diagrammed

Today’s episode of macOS in diagrams looks at the procedures known as repairing permissions, which proved a panacea for some ills before all the system files were protected by SIP, and has since made something of a comeback.

The first thing that confuses many users is that repairing permissions before SIP is very different from now. We used to run a tool in Disk Utility, which checked all the system file permissions against those installed in macOS and its updates. With SIP, there’s nothing to correct, as SIP blocks any attempts to change those permissions in the first place.

Modern repair permissions works instead on your Home folder, mostly on the Library folder within that. Let the diagram explain what, why, and how.

There are a couple of issues which merit further consideration.

First, if you check permissions on ~/Library/Containers, you’ll always find many items which the current user can’t read or write. This is because this folder contains the Sandboxes of apps distributed through the App Store. Those apps are restricted to their individual Sandbox, so within each of those containers is a whole nest of links to other folders, including back to ~/Library itself. If you follow those links, as PermissionScanner does, then you will see many files in locations where you shouldn’t have write permissions, for instance. That is perfectly correct, and when repairing permissions any changes shouldn’t propagate out into those containers.

The other issue is also not mentioned by Apple: global preference settings and other key files which are kept in /Library. Incorrect permissions on preferences and other settings files there can also cause problems, such as stuck system keyboard settings which are used when logging in. Apple’s procedure doesn’t cover those, but you can use PermissionScanner to discover problems, then correct them in the Finder or at the command line.

I hope that you find this helpful, and that it makes clear the difference between the old and new repair of permissions.

4Comments

I don’t think I have run any app that corrects file permissions since Sierra and thought that when entering into Command+R and kicking Disk Utility into gear that it did it. How does one go about it if you have to drop SIP?

The ability of Disk Utility and its command line equivalent diskutil to repair system file permissions was removed in macOS 10.11, with the advent of SIP. As far as I can see, there is no app or tool which can perform this now. It is actually quite a complex task: to do it properly, you have to work through all the system and security updates and check what the permissions should be from those.
The only alternative now is to re-install macOS.
Howard.

There is a problem there, in that it would have access the normal boot volume to be able to read all the system and security update information from there, to determine the correct permissions. So that would require a very different version of Disk Utility from the one in /Applications/Utilities.
If something has changed the permissions now, you also have to wonder what else it might have done – reinstalling is likely to be the best solution.
Howard.